As economic tough times continue, there's one thing companies can count on: more \n\nregulations. For the CIO and the IT department, that will mean more time spent grappling \n\nwith and monitoring a seemingly endless (and growing) mountain of data related to compliance.\n\nMore on CIO.com\nCompliance Spending May Be Unpopular, But Offers Benefits Besides Security\n\nSox Compliance Now Business As Usual\n\nHow pervasive is the challenge? Last May, the Information Systems Audit and Control \n\nAssociation (ISACA) surveyed more than 3,000 of its members and found that regulatory \n\ncompliance ranked among the top-five business issues facing IT managers and executives. In \n\nits report, ISACA notes that "regulatory compliance \n\nstill operates in a 'project mode' and has not yet been embedded in business processes."\n\nCIOs who seek to conquer compliance issues have found various routes\u2014and \n\ntools\u2014to help them achieve that aim. Some have purchased governance, risk management \n\nand compliance (GRC) tools to automate the process of staying on top of rules and \n\nregulations. Others have combined products such as office suites or accounting software with \n\nstrong governance and business process frameworks. Both methods can succeed in identifying \n\ncompliance requirements and making sure your company is effectively following the rules. So \n\nwhich way should you go?\n\nThere is no black-and-white answer to the question. However, a company's size and the scope \n\nof its operations can help guide the decision, says Forrester \n\nsenior analyst Marc Othersen.\n\nMake the Work Easier\n\nA GRC tool can be an effective way to achieve compliance if your business is subject to many \n\nregulations and if the organization is spread out globally, says Othersen. Other countries \n\nhave different regulations and industry standards, so a company with global operations has \n\nmore rules to follow, he says. A tool can make it easier and more cost-effective for a \n\ncompany to comply with regulations wherever it does business. \n\nHolly Marr, operations management organization leader at Acxiom, a global provider of \n\ninformation management solutions, started using CA's GRC Manager about six months ago to \n\nkeep on top of approximately 900 compliance controls that the $1.4 billion company must \n\nabide by. "Our company has been learning how to manage the process [of compliance] in the \n\nmost efficient way, and the tool is a way to go," she says. \n\nBefore the tool, internal auditors manually tested the controls for each regulation, which \n\nthen had to be documented and sometimes remediated. However, all this information was housed \n\nin Excel spreadsheets and other documents that needed to be shipped to the internal \n\nauditors, regulators, upper management and regional offices to sign off on. Marr and her \n\nteam chose CA's tool because it automatically helps them map industry-standard controls, \n\nsuch as the IT governance framework Cobit. It also consolidates the company's compliance \n\ndata in one place. The amount of manual work required to do both these things was \n\nlabor-intensive for IT, says Marr.\n\nGRC tools often automate time-consuming manual processes, taking testing time from weeks to \n\ndays, says Forrester's Othersen. Without such tools, a company might have to test manually \n\nfor every regulation, which takes time, money and effort, especially if a company has \n\nthousands of servers or global IT operational processes.\n\nBy implementing GRC Manager, Acxiom expects to shave two days off the process of creating \n\nits monthly and quarterly compliance reports. Acxiom also created a central repository for \n\nall its compliance data, which helps promote transparency and may cut costs. Marr says the \n\ntool allows IT to focus more closely on important business risk factors and how to better \n\nfacilitate project management and workflow. \n\nGRC tools also significantly streamline the compliance process because they eliminate \n\nredundancies, says Othersen. For example, a company might have Sarbanes-Oxley and Gramm-Leach-Bliley Act teams testing for access controls. GRC tools can identify \n\nwhether teams are doing the same tests. "Some companies have 300 teams, so they could \n\npotentially be doing the same tests and getting the same results 300 different times," says \n\nOthersen.\n\nAn Emphasis on Process\n\nCompliance is a major corporate objective at Purdue Pharma, a player in the highly regulated \n\npharmaceutical arena. The $2.5 billion company, which operates only in the U.S., views it as \n\nboth a business process and governance challenge. So Purdue Pharma VP and CIO Larry Pickett \n\nopted to use the company's suite of office applications (Microsoft Word, Excel and \n\nSharePoint) and its business processes to help manage the information to support regulatory \n\nrequirements.\n\nPickett believes a company can effectively manage its own compliance needs with the proper \n\nexecutive commitment and structure in place. For that reason, he doesn't see the need for a \n\nGRC tool since compliance is embedded in the company's business processes. \n\nThe first step, he says, is identifying and prioritizing business risks facing the \n\norganization. For instance, a major risk, such as Information Systems Quality Assurance \n\ncompliance, is assigned to appropriate business owners who then oversee their own specific \n\nsolutions and reports in collaboration with IT. That data is collected into the Microsoft \n\nOffice products; it is then shared and reviewed at various committee meetings held by the \n\nbusiness owners. \n\n"If there is a structure in place, it's pretty straightforward to see if you are compliant," \n\nPickett says.\n\n"I'm not saying that collecting and reporting data in a tool is useless, but I just don't \n\nsee the need for it in terms of risk management," he adds. "The audit committees here aren't \n\nlooking at a tool. They are looking at the risks, the challenges and what we are doing." \n\nThe main focus of your GRC regimen should be on identifying and managing the risks around \n\none's business, not in implementing technology for the sake of technology, says Pickett. \n\nFace it: The need for compliance isn't going away. And while the choice to purchase a tool \n\nto document and automate the process is yours, the choice to follow the regulations is not.